/ip firewall layer7-protocol
add comment="" name="conficker A" regexp="|e8 ff ff ff ff c1|^|8d|N|10\r\
    \n80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c\r\
    \ncc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\\;|d3|WG|02 c3|,|dc c4\r\
    \nc4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\\;|b3 c0 96 96 95 92\r\
    \n96|\\;|f3|\\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95\r\
    \ne4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5\r\
    \ndc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07\r\
    \na4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb\r\
    \neb|"
add comment="" name="conficker B" regexp="|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d\r\
    \na0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4\r\
    \n94|&<O8|92|\\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03\r\
    \nc5 bc ea 95|\\;|b3 c0 96 96 95 92 96|\\;|f3|\\;|24 |i|95 92|QO|8f f8|O|88\r\
    \ncf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6\r\
    \nc6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0\r\
    \nb6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab\r\
    \naa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"
/ip firewall mangle
add action=add-src-to-address-list address-list="infected conficker A" address-list-timeout=1d chain=prerouting comment="" disabled=no dst-port=80 \
    layer7-protocol="conficker A" protocol=tcp
add action=add-src-to-address-list address-list="infected conficker B" address-list-timeout=1d chain=prerouting comment="" disabled=no dst-port=80 \
    layer7-protocol="conficker B" protocol=tcp
/ip firewall filter
add action=drop chain=input comment="conficker A/B" disabled=no dst-port=80 layer7-protocol="conficker A" protocol=tcp
add action=drop chain=input comment="" disabled=no dst-port=80 layer7-protocol="conficker B" protocol=tcp
add action=drop chain=forward comment="conficker A/B" disabled=no dst-port=80 layer7-protocol="conficker A" protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=80 layer7-protocol="conficker B" protocol=tcp
add action=drop chain=forward comment=NetBEUI disabled=no dst-port=445 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=137-139 protocol=udp
add action=drop chain=output comment="conficker A/B" disabled=no dst-port=80 layer7-protocol="conficker A" protocol=tcp
add action=drop chain=output comment="" disabled=no dst-port=80 layer7-protocol="conficker B" protocol=tcp
